|
Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com |
From: Peter Wu (peterwu
hotmail.com)Date: Fri Mar 01 2002 - 21:57:41 CST
Additionally, you cannot pass a parameter to the executable launched.
----- Original Message -----
From: "Stefan Osterlitz" <stefanosterlitz.de>
To: "GreyMagic Software" <securitygreymagic.com>
Cc: "BUGTRAQSECURITYFOCUS. COM" <BUGTRAQsecurityfocus.com>
Sent: Friday, March 01, 2002 7:01 PM
Subject: Re: IE execution of arbitrary commands without Active Scripting or
ActiveX (GM#001-IE)
> > Solution:
> > =========
>
> > There is no configuration-tweaking workaround for this bug, it will work
> as
> > long as the browser parses HTML. The only possible solution must come in
> the
> > form of a patch from Microsoft.
>
> IMHO this is wrong. you can disable the download of signed / unsigned
> activex controls.
> my ie version 5.00.2614.3500 w/patches is not vulnerable with that
setting.
>
>
>
> > Tested on:
> > ==========
>
> > IE5.5sp2 Win98, all patches, Active scripting and ActiveX disabled.
> > IE5.5sp2 NT4 sp6a, all patches, Active scripting and ActiveX disabled.
> > IE6sp1 Win2000 sp2, all patches, Active scripting and ActiveX disabled.
> > IE6sp1 WinXP, all patches, Active scripting and ActiveX disabled.
>
>
>
>
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]